Update _permission_check.yaml

team-k8s-bot · web-flow · commit ea3aad5a4a07 · 2024-11-28T11:07:51.000+01:00
diff --git a/.github/workflows/_permission_check.yaml b/.github/workflows/_permission_check.yaml
@@ -12,7 +12,7 @@ on:
         type: string
 
 jobs:
-  check-permission:
+  check:
     runs-on: ubuntu-latest
     steps:
       - name: Logging
@@ -32,20 +32,42 @@ jobs:
             echo "USER=${{ github.triggering_actor }}" >> $GITHUB_ENV
           fi
 
-      - name: get user permission
-        id: checkAccess
+      - name: get user (${{ env.USER }}) permission
+        id: check_access
         uses: actions-cool/check-user-permission@v2
         with:
           require: write
           username: ${{ env.USER }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: check user permission (non-PR)
-        if: env.USER != 'dependabot[bot]' && env.USER != 'renovate[bot]' && steps.checkAccess.outputs.require-result == 'false'
+      - name: get whether triggering_actor (${{ github.triggering_actor }}) is a contributor
+        id: check_triggering_actor
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          check-contributor: true
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check permissions
+        # If
+        # - this is triggered by a PR (send by someone else than dependabot or renovate), and
+        # - author association is neither 'COLLABORATOR' nor 'OWNER', and
+        # - triggering actor is not a contributor, then exit with an error.
+        if: |
+          inputs.pr_user_login != '' &&
+          inputs.pr_user_login != 'dependabot[bot]' &&
+          inputs.pr_user_login != 'renovate[bot]' &&
+          github.event.pull_request.author_association != 'COLLABORATOR' &&
+          github.event.pull_request.author_association != 'OWNER' &&
+          steps.check_triggering_actor.outputs.check-result == 'false'
         run: |
-          echo "${{ env.USER }} does not have permissions on this repo."
-          echo "require-resuilt is ${{ steps.checkAccess.outputs.require-result }}"
-          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "${{ inputs.pr_user_login }} does not have permissions on this repo."
+          echo "Contributor check-result for triggering_actor: ${{ github.triggering_actor }} is ${{ steps.check_triggering_actor.outputs.check-result }}"
+          echo "Current permission level is ${{ steps.check_access.outputs.user-permission }}"
           echo "Job originally triggered by ${{ github.actor }}"
+          echo "Author association is ${{ github.event.pull_request.author_association }}"
           exit 1
+
